计算机科学与探索2025,Vol.19Issue(6):1640-1655,16.DOI:10.3778/j.issn.1673-9418.2406068
多维度边优化溯源图改进的APT攻击检测方法
Improved APT Detection with Multi-dimensional Edge Optimization in Provenance Graph
摘要
Abstract
Considering the complex nature of advanced persistent threat(APT),the utilization of provenance graphs facilitates the establishment of causal relationships among system events.Existing research endeavors to apply provenance graph techniques to the detection of such attacks and forensic analysis.In response to the issues of provenance graph scalability explosion,the over-smooth phenomenon caused by imbalanced data samples,and the data sparsity problem of relational algorithms due to the excessive diversification of system event types,an improved APT detection method based on multi-dimensional edge optimization of provenance graph is proposed.Firstly,a multi-modular front-end parsing scheme is designed for system kernel logs to address the provenance graph modeling issue in the face of massive log data,and to complement the missing contextual semantics in the original data.Subsequently,a K-hop subgraph sampling method incorporating an edge reduction optimization strategy is employed to focus on the local structures related to attack activities.The multi-dimensional edge features extracted are then leveraged using graph embedding techniques to learn and integrate into an embedded representation of edge attributes.Finally,by introducing the attention computation of multi-dimensional edge attributes and node features within the graph attention networks(GAT),and merging it with the inter-node attention calculations,a hybrid attention mechanism is constructed.The results of hyperparameter tuning and ablation experiments indicate that the proposed method effectively reduces the scale of the provenance graph,concurrently achieving lower computational resource consumption and algorithmic time complexity.Comparative experimental results validate that under conditions of data imbalance and diverse event types,the comprehensive detection performance of the model is significantly enhanced.Compared with traditional relational algorithms such as R-GCN,the Precision,Recall,and F1 scores of the proposed method are improved by 5.70,4.35 and 5.08 percentage points respectively.关键词
溯源图/APT攻击检测/图注意力网络/边优化/图采样Key words
provenance graph/APT detection/graph attention networks/edge optimization/graph sampling分类
信息技术与安全科学引用本文复制引用
何厚翰,芦天亮,张岚泽,袁梦娇,曾高俊..多维度边优化溯源图改进的APT攻击检测方法[J].计算机科学与探索,2025,19(6):1640-1655,16.基金项目
公安部科技计划项目(2023JSM09) (2023JSM09)
中央高校基本科研业务费专项资金(2023JKF01ZK08). This work was supported by the Science and Technology Program of Ministry of Public Security of China(2023JSM09),and the Fundamental Research Funds for the Central Universities of China(2023JKF01ZK08). (2023JKF01ZK08)
